PocketSOC security glossary
Short, citable definitions of the SOC and incident response terms used across PocketSOC. Each term page includes a 40–60 word definition, longer context, and how the concept relates to mobile incident response.
Terms
EDR →
Endpoint Detection and Response (EDR) is a category of security software that continuously monitors endpoints — laptops, servers, and workstations — for malicious activity.
SOC →
A Security Operations Center (SOC) is the team and facility responsible for continuously monitoring an organization's security posture.
MTTR →
Mean Time to Respond (MTTR) is the average elapsed time between when a security alert is generated and when the SOC takes a meaningful response action.
Host Isolation →
Host isolation is the practice of cutting a compromised endpoint off from the network — typically by blocking all outbound and inbound traffic except a control channel to the EDR platform — so the threat cannot spread, exfiltrate data, or beacon out while the investigation continues.
Alert Fatigue →
Alert fatigue is the condition where SOC analysts become desensitized to security alerts because the signal-to-noise ratio is too low.
Dwell Time →
Dwell time is the elapsed period between when an attacker initially compromises an environment and when they are detected.
SIEM →
A Security Information and Event Management (SIEM) platform centralizes logs and security events from across an organization — endpoints, network devices, cloud services, identity providers — and runs detection rules against the combined feed.
False Positive →
A false positive is a security alert that fires for behavior that turns out not to be malicious.
Threat Hunting →
Threat hunting is the proactive search for adversaries who have evaded existing detection rules.
Incident Response →
Incident response (IR) is the structured process of preparing for, detecting, containing, eradicating, recovering from, and learning from security incidents.